Home / News

EU: New guidance targets device cybersecurity under MDR, IVDR

2020/01/08  FiercePharma

The Medical Device Coordination Group (MDCG) on Monday unveiled new guidance to help manufacturers fulfill all the relevant cybersecurity requirements in Annex I of the Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).

The 47-page guidance, which aligns with cybersecurity guidance from the International Medical Device Regulators Forum, explains both the premarket and postmarket requirements to help companies ensure an adequate balance between the benefits and risks during all of a device’s possible operation modes.

MDCG notes that manufacturers should foresee or evaluate the potential exploitation of cyber vulnerabilities that may be a result of “reasonably foreseeable misuse.”

“This, however, may depend on the specific situation. For example, using an unsecured memory-stick to enter data into a medical IT system can be considered ‘reasonably foreseeable misuse’, while the input of x-ray images via a CD may be considered ‘intended use’. Due to the huge variety of use environments, this decision may even depend on the specific installation and use environment,” the guidance says.

MDCG also calls for companies to include security issues in the risk assessment, even in cases where security is not stated explicitly in the regulations’ requirements.

“Security issues may be of both weak and/or restrictive security: a) Weak security: for example, weak access control may allow malicious modification of the operation of an implanted cardiac device. b) Restrictive security: the use of too restrictive security measures that provide a high level of protection may have a safety impact, especially if the security functionalities are not well designed. For example, during an emergency, the medical personnel must be able to access an implanted cardiac device without restrictions, but strong security measures need to be in place under normal operating conditions,” the guidance says.

On the postmarket side, the guidance also further discusses how manufacturers will need to share and disseminate cybersecurity information and vulnerabilities, and respond to vulnerabilities and incidents. Annex II of the guidance distinguishes between incidents and serious incidents from the point of view of cybersecurity.

For example, an unauthorized person’s ability to overwhelm a pacemaker with requests and cause premature battery depletion would be considered a serious incident.

To continue reading this article please go to FiercePharma .